Skip to content

nonstandardlogic/kubevscan

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

41 Commits

config/tls

config/tls

 
 

helm/kubevscan

helm/kubevscan

 
 

kubernetes

kubernetes

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

setup.sh

setup.sh

 
 

uninstall.sh

uninstall.sh

 
 

Repository files navigation

Kubevscan

What is this?

The goal of this project is to provide a vulnerability scanner that continuously scans containers deployed in a Kubernetes cluster.

The project creates for each pod a vulnerability scanner container based on the open-source project Trivy.

The vulnerability scanner is a sidecar container injected into the pod using the open-source project k8s-sidecar-injector.

The vulnerability scanner sidecar container is kubevscan-agent.

Installation

Set the environment variables defined in the setup.sh script. The variables ORG and DOMAIN are used to generated certs for the sidecar injector. The variables DEPLOYMENT and CLUSTER are used to create certs directories (example DEPLOYMENT=us-east-1 and CLUSTER=PRODUCTION).

ORG=
DOMAIN=
DEPLOYMENT=
CLUSTER=

Run the setup script which installs and configures the sidecar injector into the Kubernetes cluster.

$ ./setup.sh 
Starting to deploy components...

Set required variables in ca.conf csr-prod.conf..
Generating certs..
...

Check the sidecar injector logs.

$ kubectl logs --tail=60 -n kube-system -l k8s-app=k8s-sidecar-injector
172.18.0.1 - - [15/Oct/2020:14:29:30 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.18"
I1015 14:36:37.504124       1 main.go:131] triggering ConfigMap reconciliation
I1015 14:36:37.504153       1 watcher.go:151] Fetching ConfigMaps...
I1015 14:36:37.508225       1 watcher.go:158] Fetched 1 ConfigMaps
I1015 14:36:37.508488       1 watcher.go:179] Loaded InjectionConfig kubevscan from ConfigMap sidecar-test:kubevscan
I1015 14:36:37.508515       1 watcher.go:164] Found 1 InjectionConfigs in sidecar-test
I1015 14:36:37.508521       1 main.go:137] got 1 updated InjectionConfigs from reconciliation
I1015 14:36:37.508525       1 main.go:151] updating server with newly loaded configurations (1 loaded from disk, 1 loaded from k8s api)
I1015 14:36:37.508531       1 main.go:153] configuration replaced
172.18.0.1 - - [15/Oct/2020:14:36:40 +0000] "GET /health HTTP/2.0" 200 12 "" "kube-probe/1.18"
...

Quick Start

Deploy the test pod with the sidecar injector annotation injector.tumblr.com/request=kubescan

$ kubectl create -f kubernetes/debug-pod.yaml
pod/debian-debug created

Check the logs generated by Trivy sidecar in /var/log/kubevscan directory.

About

Kubernetes security scanner based on the open-source container vulnerability scanner Trivy.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

24 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages